[Snort-sigs] Couple sigs

lists at ...3397... lists at ...3397...
Mon Sep 10 11:40:16 EDT 2012


On 09/10/12 10:30, Alex Kirk wrote:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION
> hidden iframe - potential include of malicious content"; flow:to_client,
> established; file_data; content:"<iframe "; nocase; content:"width=1"; nocase;
> distance:0; within:50; content:"height=1"; nocase; distance:-40; within:80;
> content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80;
> classtype:bad-unknown;)

I've seen \x22 and \x27 being used occasionally to quote the in-line style
declaration.

Cheers,
Nathan





More information about the Snort-sigs mailing list